Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    I've made my point before, and couldn't agree more with you (jjason)

    I think your best option right now if you're fairly technical is to setup a VPN that you can connect to from your phone which allows you secure access to your internal network.

    I was pretty worried about this stuff when HSTouch was released and I saw my password going over the network... A big old nope from me... no way am I opening that port.

    The damage that can done by hacker is no longer digital damage.
    Joe (zimmer62)

    BLSecurtiy, AC-RF2, RCS Serial Thermostats, RFXCOM SMarthome SwitchLinc, mcsXap, Global Cache GC100, SqueezeBox, TWA_ONKYOINTEGRA, BLLogMonitor, BLPlugins, BLRadar, BLSpeech, BLZLog.aspx, HSTouch (Windows, iPhone, iPod), USB Mimo touchscreens, VMWare Server, Vortexbox, Windows Home Server, MyMovies, Windows Media Center, X10, ZWave, and much much much more.

    Comment


      Originally posted by concordseer View Post
      I generally research a product thoroughly and ensure that it satisfies my needs before I purchase it. If I find that it falls short of my expectations I move on and purchase an alternative. What I generally do not do is make a purchase in the hope that at some time in the future it will meet my demands or demand that it should.
      Generally I do too...

      They used to have SSL support... your argument falls short.

      Generally I expect a software product to continue to support existing features...
      Joe (zimmer62)

      BLSecurtiy, AC-RF2, RCS Serial Thermostats, RFXCOM SMarthome SwitchLinc, mcsXap, Global Cache GC100, SqueezeBox, TWA_ONKYOINTEGRA, BLLogMonitor, BLPlugins, BLRadar, BLSpeech, BLZLog.aspx, HSTouch (Windows, iPhone, iPod), USB Mimo touchscreens, VMWare Server, Vortexbox, Windows Home Server, MyMovies, Windows Media Center, X10, ZWave, and much much much more.

      Comment


        Comment


          Originally posted by Krumpy View Post
          I agree with what Rich has stated. It would be a lot of work to redo the straight TCP based HSTouch clients to use HTTPS.

          If you are concerned (it makes sense) then I would implement a VPN solution and run HSTouch clients across that. I can help you with this if you're interested.
          I believe that people are bring out very valid points that HS needs to address.
          • MyHS security: HS must have a third party check the site to see that it is truly secure. This should be done on a regular basic with that period being not less that one month and whenever any major changes are made. The results of this needs to be made public via industry acceptable means. This usually means using the testing companies approval seal. HS, you are the gateway to our homes and we deserve nothing less.
          • Direct access via the web. I understand that making HTTPS direct access secure is an issue that's hard to do. It means that you either have to provide a full https front end to HS3 or depend on a full web server to provide that service. This also means that the user is now responsible to keep the HS3 secure and there is no way to test for that. For now I believe the best way is to use VPN for those that want direct access. Direct remote access to me is more of an advanced user feature so they should have no problem installing a VPN gateway.
          • Mobile apps: As HS has said they are rewriting the mobile app however they have not said if this new mobile app will have a secure direct access feature. If we can do direct access using the mobile app then I'm good with that however the mobile SSL interface to HS3 should be probed by a third party for any weakness.
          HomeSeer Version: HS3 Standard Edition 3.0.0.548
          Linux version: Linux auto 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
          Number of Devices: 484 | Number of Events: 776

          Enabled Plug-Ins: 3.0.0.13: AirplaySpeak | 2.0.61.0: BLBackup
          3.0.0.70: EasyTrigger | 1.3.7006.42100: LiftMaster MyQ
          4.2.3.0: mcsMQTT | 3.0.0.53: PHLocation2 | 0.0.0.47: Pushover 3P
          3.0.0.16: RaspberryIO | 3.0.1.262: Z-Wave

          Z-Net version: 1.0.23 for Inclusion Nodes
          SmartStick+: 6.04 (ZDK 6.81.3) on Server

          Comment


            built-in security without the cloud is a must

            I largely agree with the request for security in a home automation product controlling door locks, alarms and other critical systems. The VPN suggestions I see as only a temporary workaround. VPN tunnels break when the remote device connection changes, and the WAF is very poor. They just aren't an acceptable solution for mobile access. A third-party "cloud" should not be a prerequisite for security. This was billed as a self-contained system, which is one of the reasons some of us bought into the the HS3 ecosystem. There is just no reason to relay through somebody else's server to access our own systems.

            A lot of good work has gone into HS3 and HSTOUCH. I think we can be optimistic for what the future holds. For those "advanced" users wanting secure remote access, it is not unreasonable to require the support of a web server in the PRO versions of windows. Personally, I always use Windows Pro for my server PC. Linux of course has any number of well-supported web servers. I don't think this needs to rest on the shoulders of HS3 developers to re-invent the wheel to save users a few bucks on an appropriate OS.

            Comment


              Some notes about security.

              We have made some server changes. When I test the myhs server with SSL Labs it gets an A.

              The HSTouch protocol encrypts the user/pass using AES 128 bit encryption so you will not see that on the wire.

              If you connect to the HS server directly using non SSL, it passes the user/pass using basic authentication base64 encoded, so there is no encryption there. When using SSL, everything is encrypted.

              I went ahead and updated HS3 to use the new SSL support included with .NET. So go ahead and give it a try. It is in build 398 and later. Here is the first build. You can always get the latest from the HS3 beta section. I am posting it here first for feedback. Now is your chance!

              http://homeseer.com/updates3/SetupHS3_3_0_0_398.msi

              Note that the settings for this have been moved to the "Labs" tab in setup until it gets tested.

              I removed the setting for the certificate file. The file is "server.pfx" and is in the HS root folder. There is one there already but you can replace as needed.
              website | buy now | support | youtube

              Comment


                Originally posted by rjh View Post
                We are still working on a totally new mobile app, which already does SSL for the connection.
                This is great news. Without giving too much away, can you offer any sort of release date window? And will it be a custom builder format like HSTouch?

                Comment


                  For custom built apps, you can use HSTouch, that will continue to be supported.

                  The new app is not customizable, other than a custom dashboard screen.

                  The goal here is an easier to use app that a new user can use to control their system, including creating events, all from their phone. New users expect this today.

                  It displays devices in a new format, rather than all the separate devices you now see in HSTouch.

                  This is not going to be a "power user" app.

                  Time frame is hopefully by spring we will have something to beta.

                  Originally posted by rxatwell View Post
                  This is great news. Without giving too much away, can you offer any sort of release date window? And will it be a custom builder format like HSTouch?
                  website | buy now | support | youtube

                  Comment


                    Originally posted by rjh View Post
                    For custom built apps, you can use HSTouch, that will continue to be supported.

                    The new app is not customizable, other than a custom dashboard screen.

                    The goal here is an easier to use app that a new user can use to control their system, including creating events, all from their phone. New users expect this today.

                    It displays devices in a new format, rather than all the separate devices you now see in HSTouch.

                    This is not going to be a "power user" app.

                    Time frame is hopefully by spring we will have something to beta.
                    I can appreciate that and am glad to hear that HSTouch is still going to be supported. Thanks for the update!

                    Comment


                      Originally posted by rjh View Post
                      For custom built apps, you can use HSTouch, that will continue to be supported.

                      The new app is not customizable, other than a custom dashboard screen.

                      The goal here is an easier to use app that a new user can use to control their system, including creating events, all from their phone. New users expect this today.

                      It displays devices in a new format, rather than all the separate devices you now see in HSTouch.

                      This is not going to be a "power user" app.

                      Time frame is hopefully by spring we will have something to beta.
                      Great news Rich. Your product will have greater appeal to the man or woman in the street if it's plug and go. I for one just want a product that does the job. I'm not interested In "eye candy". That's where a lot of products have failed in the past.

                      For those looking for "bleeding edge" solutions there's no shortage of alternatives out there. I'd rather contribute to development of a product than knock it.

                      Comment


                        Originally posted by rjh View Post
                        Some notes about security.



                        We have made some server changes. When I test the myhs server with SSL Labs it gets an A.



                        The HSTouch protocol encrypts the user/pass using AES 128 bit encryption so you will not see that on the wire.



                        If you connect to the HS server directly using non SSL, it passes the user/pass using basic authentication base64 encoded, so there is no encryption there. When using SSL, everything is encrypted.



                        I went ahead and updated HS3 to use the new SSL support included with .NET. So go ahead and give it a try. It is in build 398 and later. Here is the first build. You can always get the latest from the HS3 beta section. I am posting it here first for feedback. Now is your chance!



                        http://homeseer.com/updates3/SetupHS3_3_0_0_398.msi



                        Note that the settings for this have been moved to the "Labs" tab in setup until it gets tested.



                        I removed the setting for the certificate file. The file is "server.pfx" and is in the HS root folder. There is one there already but you can replace as needed.


                        That is outstanding, will the HTTPS feature set be supported in the Linux flavor of HS3?


                        Sent from my iPhone using Tapatalk

                        Comment


                          A few thoughts about that:

                          HSTouch has some serious shortcomings that would need to be addressed for it to remain competitive. When I want to turn a light off and I'm in bed, due to the way I keep my phone plugged in when I sleep, I have to do it all upside down. Not cool. Just an example. There are more. A LOT more. And I can give examples where the competition beats the snot out of HSTouch. Right out the door. Little configuration or setup required.

                          Fix HSTouch. It's busticated on every platform and all around. It's the worst performing product HST has by a margin that boggles the mind.

                          I know this will be ignored like every other comment about how awful the HS UI is.
                          I'm sorry I wasted my few minutes typing this out.


                          The second is if the new interface is anything like the new HSTouch stock........ Nope.

                          My enthusiasm for the new product just dropped by about 95%. I was hoping for an alternative to HSTouch but with similar functionality.


                          You folks need to wake up and realize that you're riding a sinking ship. You have the automation and compatibility angle covered but that doesn't mean anything if everyone buys a Google or Amazon or whoever device that can turn a light on and off. You are loosing market percentage by the second.

                          My hopes are dashed.
                          Originally posted by rprade
                          There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

                          Comment


                            Yes. We should have betas posted for all systems this weekend so you can try the Linux version.

                            Originally posted by Kerat View Post
                            That is outstanding, will the HTTPS feature set be supported in the Linux flavor of HS3?


                            Sent from my iPhone using Tapatalk
                            website | buy now | support | youtube

                            Comment


                              You are correct about HSTouch, however, it really does not compete with other systems. It was intended to be for dealers, for creating custom control screens. We have a ton of users who love it and it works great for them. I use it on all of my screens in my home, and it works perfect for me. The default project was our best attempt at "universal" app. But that falls short as it was never designed to work like that. As a custom app, there is NO competition. Nothing that I know of anyway, unless you consider a system like Crestron.

                              The new app looks totally different. The UI works as you would expect on the platform its on. It has slide in menus, material graphics, etc. It does not look anything like HSTouch.

                              As far as "sinking", HomeSeer has just had its best sales year ever, by far. I am sorry we are not living up to your expectations, but we have a lot of cool stuff coming out in 2018.

                              Originally posted by S-F View Post
                              A few thoughts about that:

                              HSTouch has some serious shortcomings that would need to be addressed for it to remain competitive. When I want to turn a light off and I'm in bed, due to the way I keep my phone plugged in when I sleep, I have to do it all upside down. Not cool. Just an example. There are more. A LOT more. And I can give examples where the competition beats the snot out of HSTouch. Right out the door. Little configuration or setup required.

                              Fix HSTouch. It's busticated on every platform and all around. It's the worst performing product HST has by a margin that boggles the mind.

                              I know this will be ignored like every other comment about how awful the HS UI is.
                              I'm sorry I wasted my few minutes typing this out.


                              The second is if the new interface is anything like the new HSTouch stock........ Nope.

                              My enthusiasm for the new product just dropped by about 95%. I was hoping for an alternative to HSTouch but with similar functionality.


                              You folks need to wake up and realize that you're riding a sinking ship. You have the automation and compatibility angle covered but that doesn't mean anything if everyone buys a Google or Amazon or whoever device that can turn a light on and off. You are loosing market percentage by the second.

                              My hopes are dashed.
                              website | buy now | support | youtube

                              Comment


                                Please don't get me wrong. I use HSTouch with custom screens that I really like and I'm generally an avid supporter of HS3 and HSTouch in general as should be evidenced by my forum activity. That said, I am willing to see the good with the bad. I'm extremely pleased to hear of the success you've had this year but I imagine that this has a lot to do with the great hardware you've brought to market recently. I want nothing more than for you to succeed and when Bill Gates dies and leaves all of his money to me I plan in investing a few hundred million in HST. It comes up quite a bit here that HS3 is an automation product as opposed to home control. The weak link with HS3 is the control aspect. Every other home automation system with maybe the exception of Crestron is almost entirely focused on the interface. HSTouch has the possibility of being the be all and end all of home control, but there are just too many issues with it.
                                Originally posted by rprade
                                There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

                                Comment

                                Working...
                                X